Insights
Publications

Twists in the Plot: California AG Releases Final CCPA Regulations

August 27, 2020 Blog

With a little time to consider the finalized California Consumer Privacy Act regulations released by the California Attorney General on August 14, 2020, it is clear that some last-minute negotiations (or perhaps just some thoughtful additional analysis) took place that led to some unexpected changes. The lion’s share of the regulation requirements have been discussed in depth, so let’s just focus on the following noteworthy changes:

  • Language for Do Not Sell Link. Prior versions enabled companies selling personal information to include a link reading “Do Not Sell My Info,” but that language is no longer acceptable and must instead read “Do Not Sell My Personal Information” as called for in the statute. (Section 999.305(b)(3))
  • Agent Verification. While requests to know and delete from an authorized agent of the data subject continue to require significant validation, where the authorized agent is merely making an opt-out request, a signed permission is sufficient verification. (Section 999.315(f))
  • Financial Incentive. The definition for “financial incentive” no longer includes payments/etc. in connection with the “retention” of personal information. Thus, in line with the statute, the requirements concerning financial incentives will not be broadened beyond those offered in connection with the “collection, deletion, or sale” of personal information. (Section 999.301(j))
  • Offline Notice. The final regulations removed the requirement that a privacy notice be provided where the business interacts with consumers offline to collect information (e.g., through an in-store, handwritten e-mail sign-up list). Businesses will instead be able to provide the notice solely on the website. If the business does not have a website, though, it would of course need to provide the notice in connection with the collection of personal data. (Section 999.306(b))
  • Opt-Out Method. The AG had provided that the method of opt-out be “easy for consumers to execute” and “require minimal steps.” While an overly-complicated opt-out procedure will likely still be found to be noncompliant, the removal of this vague language will avoid some additional uncertainty. (Section 999.315)

These changes together signal the Attorney General’s acceptance that some of the steps it had previously taken to broaden the reach of the CCPA went too far, or that clarification was necessary. The enforcement of the regulations, which has begun, will need to play out before we can understand them fully. But one thing we do know is that the regulations will be short-lived and will require significant overhaul if the California Privacy Rights Act of 2020 ballot initiative passes in November and becomes law in 2023. Stay tuned.

Firm Highlights

Publication

Senate Democrats Release Competing COVID-19 Privacy Bill

Democratic Senators Richard Blumenthal and Mark Warner have introduced the  Public Health Emergency Privacy Act  in response to  the bill of the same subject released by Senate Republicans  (the  COVID-19 Consumer Data Protection Act...

Read More
News

In Novel Case, Insurer Sues Own Law Firm After Data Breach

Tyler Gerking was quoted in the Law360 article "In Novel Case, Insurer Sues Own Law Firm After Data Breach." In the article Tyler said, "This case shows some of the hazards that all companies face...

Read More
Publication

Private Rights of Action and the CCPA—Unlimited Limitation?

As we are all well aware by now, the California Consumer Privacy Act (CCPA) (Cal. Civ. Code Sections 1798.100 et seq.) went into effect on Jan. 1. Through its amendments and regulations (the latter...

Read More
Publication

Trademark Office Deadlines and Coronavirus-Related Delays (Updated)

With all of the business interruption caused by the COVID-19 pandemic, many worldwide trademark offices have taken steps to recognize the issues caused by the crisis. The offices in which applicants from the U.S...

Read More
Publication

Federal “COVID-19 Consumer Data Protection Act” Proposed

A group of Republican senators has proposed a new privacy law to govern the collection and use of certain personal information thought to be both important and at risk during the current coronavirus crisis...

Read More
Publication

Signatures Submitted for Inclusion of New California Privacy Law on November Ballot

Californians for Consumer Privacy has announced that it has secured and submitted enough signatures to qualify its California Privacy Rights Act (“CPRA”) for inclusion on California’s November 2020 ballot. Alistair Mactaggart, the architect behind...

Read More
Publication

Reopening Plans and Recommended Protocols Beg New Privacy Issues

While far from getting us back to any kind of normal that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously closed “nonessential” businesses are returning to operations. With...

Read More
Publication

Zoom Successfully Addresses New York’s Privacy and Security Concerns

A few weeks ago on this blog, we addressed some of the legal issues that have arisen for Zoom , as it becomes a significant part of American daily life during the COVID-19 pandemic. ...

Read More
Publication

A Roadmap to Litigating Privacy Claims? A Look at a Recent Order From the Google Assistant Privacy Litigation

As privacy-related litigation continues to heat up, Judge Beth Freeman (ND Cal.) recently laid out in In re Google Assistant Privacy Litigation (Case No. 19-cv-04286) [1] a potential roadmap for surviving or winning a...

Read More
Publication

Reopening Businesses Must Consider Employee and Consumer Privacy

While we’re far from returning to the “normal” that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously “nonessential” businesses are returning to operations. Along with these openings, governmental...

Read More